The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
WPScan
A fix would be most welcome!
]]>https://patchstack.com/database/vulnerability/weather-atlas/wordpress-weather-atlas-widget-plugin-3-0-1-cross-site-scripting-xss-vulnerability?_a_id=431
]]>Is somebody here, who can repair with me this problems? Moodle is for me very important part of my page…
https://imgur.com/XClNL3Y (SSRF, XSS)
Best regards! ]]>
We waited a while, but finally decided to disable the plugin until the issue is resolved or find an alternative for users to rate posts. Do you plan to fix it in the near future? Please let us know in this thread when it is resolved so we can reactivate the plugin on our site.
Regards.
]]>We currently have a multisite install with around 280 sites in it. All of the sites have custom ACF fields that allow content editors to insert code for tracking (pixels, scripts, etc). This naturally includes a script tag. Also, each site could have one or more snippets included in this box.
We just installed Wordfence the other day and are now getting tons of complaints from users trying to update these pages that their requests are being blocked. We’ve attempted to allow all requests for this. However the requests will keep coming. Not to mention new sites are added to this network almost monthly, so it will continue to be an issue.
Is there any way to add a rule that would allow this globally for all sites now and in the future? I would rather not turn off XSS, but that seems to be the way to go here.
I hope this message finds you well. I recently installed the Yuki Theme for WordPress (version 1.3.7) on my website and discovered that it is vulnerable to Cross-Site Scripting (XSS). The vulnerability has been reported in versions up to 1.3.7.
Given the security risk this poses, I would like to inquire whether you are aware of this issue and if there is a timeline for when a patch or update addressing this vulnerability will be released.
In the meantime, could you recommend any immediate mitigation steps I should take to secure my site until the vulnerability is resolved?
Thank you for your time and assistance. I look forward to your response and appreciate your dedication to maintaining a secure product.
]]>Hello, this template line
%title%<br><span style="color:#ffffff;font-size:14px!important;text-transform: none;">%secondary_title%</span>
does not work anymore after a WordPress update to current version 6.6.2 and it seems as if I will have to delete the plugin. Before the update the plugin worked properly.
Does anybody have a solution?
]]>WordPress Form Maker by 10Web plugin <= 1.15.26 – Reflected Cross Site Scripting (XSS) vulnerability – Patchstack
https://itsec-site-scanner.ithemes.com/vulnerability-details/djIubG9jYWwuRHVtSks4aHdfSVFqY2loRmZUNndVci0yNUx5eXlMU2VXbHJTdUgxVlFNTmExVWdQVnhrc3BqTzRkWm1DUGh5ZXF3REp0c294Y3ZkN1BNdWVTTHhIVTVGcDdKb0VISGhnazdFTXVIcS1QTmxrX1ZVdW5OREpHT1VzQThzTUVfWnRaOTluWkV0QmhSX19LUnpaaHNRUGZncTBxSWVtR0JxRHdNaDZ3M1hkYURzRjh0bHB4aVYzSVJ2ZzBuSkpSTFgtMFpkQzF3NDUyM1puc1JOek9NLVc3dTZRV2wwMklLc0ViNFRHLTNWS2xyeVRZQ2VIN1hrN3RucHBkMjVydEhaLXpUQjZGZXh4M0hqemhVckJlYWptdmM0bG44TWpsQzVHVVFSa3BBSklNMHV1cE9ZOWJRcUxIa0tSQm5CUFJOOV9ISDY1V0RVZ1QwMV8wcndsaXV5VGx6LWVqQVJqZWtORXFybXhoQWtMNDFhNXgtSFQ5U3NzNlAyT3ZDSjRfU1JJN1E%253D
This vulnerability is moderately dangerous and expected to become exploited. ]]>
Version 2.5.5 has a Cross-Site Scripting Vulnerability: https://patchstack.com/database/vulnerability/svg-support/wordpress-svg-support-plugin-2-5-5-authenticated-author-cross-site-scripting-via-svg-vulnerability
]]>My security plugin has reported that there was XSS vulnerability with the them. More details : https://patchstack.com/database/vulnerability/onepress/wordpress-onepress-theme-2-3-8-cross-site-scripting-xss-vulnerability?_a_id=431 ]]>